By default Cisco IOS doesn’t provide any traffic monitoring tools like iftop or iptraff available in Linux. While there are lots of proprietary solutions for this purpose including Cisco Netflow Collection, you are free to choose nfdump and nfsen open source software to monitor traffic of one or many Cisco routers and get detailed monitoring data through your Linux command line or as graphs at absolutely no cost.

Below is beginner’s guide that helps to quickly deploy netflow collector and visualizer under Linux and impress everybody by cute and descriptive graphs like these:

nfsen screen

It is highly recommended to look through Netflow basics to get brief understanding of how it works before configuring anything. For example, here is Cisco’s document that gives complete information about Netflow. In a few words to get started you should enable netflow exporting on Cisco router and point it to netflow collector running under Linux. Exported data will contain complete information about all packets the router has received/sent so nfdump and nfsen working under Linux will collect it and visualize to present you the graph like above example.

Cisco Router Setup

1. Enable flow export on ALL Cisco router’s interfaces that send and receive some traffic, here is an example:

Router1# configure terminal
Router1(config)#interface FastEthernet 0/0
Router1(config-if)#ip route-cache flow input
Router1(config-if)#interface FastEthernet 0/1
Router1(config-if)#ip route-cache flow input
...

2. Setup netflow export:

Router1# configure terminal
Router1(config)#ip flow-export source FastEthernet0/0
Router1(config)#ip flow-export source FastEthernet0/1
Router1(config)#ip flow-export version 5
Router1(config)#ip flow-export destination 1.1.1.1 23456

Where 1.1.1.1 is IP address of Linux host where you plan to collect and analyze netflow data. 23456 is port number of netflow collector running on Linux.

Linux Setup

1. Download and install nfdump.

cd /usr/src/
wget http://sourceforge.net/projects/nfdump/files/stable/nfdump-1.6.2/nfdump-1.6.2.tar.gz/download
tar -xvzf nfdump-1.6.2.tar.gz
cd nfdump-1.6.2
./configure --prefix=/ --enable-nfprofile
make
make install

2. Download and install nfsen.

It requires web server with php module and RRD so make sure you have the corresponding packages installed. I hope you’re running httpd with php already so below are rrd/perl related packages installation hints only.

Fedora/Centos/Redhat users should type this:

yum install rrdtool rrdtool-devel rrdutils perl-rrdtool

Ubuntu/Debian:

aptitude install rrdtool librrd2-dev librrd-dev librrd4 librrds-perl librrdp-perl

If you run some exotic Linux distribution just install everything that is related to rrd + perl.

At last, nfsen installation:

cd /usr/src/
wget http://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.5/nfsen-1.3.5.tar.gz/download
tar -xvzf nfsen-1.3.5.tar.gz
cd nfsen-1.3.5
cp etc/nfsen-dist.conf etc/nfsen.conf

In order to continue you should edit file etc/nfsen.conf to specify where to install nfsen, web server’s username, its document root directory etc. That file is commented so there shouldn’t be serious problems with it.

One of the major sections of nfsen.conf is ‘Netflow sources’, it should contain exactly the same port number(s) you’ve configured Cisco with — recall ‘ip flow-export …’ line where we’ve specified port 23456. E.g.

%sources = (
    'Router1'    => { 'port' => '23456', 'col' => '#0000ff', 'type' => 'netflow' },
);

Now it’s time to finish the installation:

./install.pl etc/nfsen.conf

In case of success you’ll see corresponding notification after which you will have to start nfsen daemon to get the ball rolling:

/path/to/nfsen/bin/nfsen start

From this point nfdump started collecting netflow data exported by Cisco router and nfsen is hardly working to visualize it — just open web browser and go to http://linux_web_server/nfsen/nfsen.php to make sure. If you see empty graphs just wait for a while to let nfsen to collect enough data to visualize it.

That’s it!

 

16 Comments

 

  1. November 26, 2010  5:52 am by Tom Reply

    Thank you for the information. I all ways enjoy reading your articles, you site has help me out a few times already - thanks again.

  2. November 26, 2010  9:16 am by Joseph Reply

    useful post!

    I would also like to suggest that you can use ManageEngine NetFlow Analyzer to monitor traffic at Cisco routers. Yes, it runs on Linux too!

    cheers
    joe

  3. November 26, 2010  3:44 pm by artiomix Reply

    thanks for the link, Joseph, but where are the prices for that soft? :)

  4. Pingback : links for 2010-11-26 « Where Is All This Leading To?

  5. December 2, 2010  10:44 am by Joseph Reply

    free edition also available

    and pro edition prices start at $795 , you can see that in netflowanalyzer.com

    cheers
    joe

  6. January 12, 2011  5:29 am by Linux Commands Reply

    Excellent post. Thanks for the info on How to monitor traffic at Cisco router using Linux. very much useful

  7. January 26, 2011  1:39 pm by Beatriz Straton Reply

    invaluable information A little bit in a hurry, did not get to read everything but will definitely come back later to finish everything. I think the second paragraph pretty much says everything.. for several years

  8. February 14, 2011  10:00 pm by router address Reply

    Nice article, but this won't appear to work together with my router ip address, any advice?

  9. March 28, 2011  7:06 pm by jouets moins chers Reply

    Definitely believe that which you stated. Your favorite reason appeared to be on the net the simplest thing to be aware of. I say to you, I definitely get annoyed while people consider worries that they plainly do not know about. You managed to hit the nail upon the top and also defined out the whole thing without having side-effects , people could take a signal. Will probably be back to get more. Thanks

  10. March 29, 2011  7:02 pm by Glow Bracelets Reply

    neat blog theme! what place? anyway, I have already been hanging out right here for some time now and ultimately I have the courage to leave a comment. most of your write-up is utterly fascinating well, i decided to share it on facebook.

  11. March 30, 2011  2:54 pm by hotell Reply

    I view something genuinely interesting about your weblog so I bookmarked .

  12. April 22, 2011  9:36 pm by Sunnyvale (CA) Estate Planning Lawyer Reply

    Thanks for a very informative web site. What else may I get that type of info written in such a perfect manner? I've a mission that I'm simply now working on, and I've been at the look out for such info.

  13. June 7, 2012  1:32 pm by aleen Reply

    While configuring nfdump, there is error
    "configure: error: Can not link librrd. Please specify --with-rrdpath=.. configure failed!"
    Please suggest

  14. June 8, 2012  10:41 am by badr Reply

    please help
    i have an error when installing nfsen
    UNIVERSAL->import is deprecated and will be removed in a future perl at /opt/nfsen/libexec/Nfcomm.pm line 47
    thanks

    thn

  15. Pingback : Netflow with Open Source | GNC

  16. December 3, 2012  5:01 am by ak2766 Reply

    In the nfsen.conf file, it has the following example for the %sources:
    %sources = (
    'upstream1' => { 'port' => '9995', 'col' => '#0000ff', 'type' => 'netflow' },
    'peer1' => { 'port' => '9996', 'IP' => '172.16.17.18' },
    'peer2' => { 'port' => '9996', 'IP' => '172.16.17.19' },
    );
    There is no explanation what 'IP' is and where/why it is mention in there! Any chance you can expand on this?

    Cheers,
    ak.

Leave a reply

 

Your email address will not be published.